Message exchanges between two or more parties in a wireless network or over the Internet are vulnerable to eavesdropping and manipulation by other parties. Security is required to protect the confidentiality and integrity of the message exchanges. Typically, messages are protected through encrypting and authenticating the messages with a shared session key between the intended parties. A shared session key is often derived from a shared master key (MK) that is rarely used and, therefore, the shared master key is more tightly guarded against potential compromise.
In low-power wireless networks, such as a body area network, a plurality of nodes form a network with a hub, which may also be referred to as a network controller or coordinator. The nodes may establish secured or unsecured connections with their desired hub. The amount and frequency of information exchanged between each node and the hub varies by time and by node. The nodes and hub designate allocation intervals in which they can communicate over a shared channel.
Communication between two parties over an open channel poses several security problems for the communicating parties. Their communications can be overheard or forged by a third party, which poses a problem for them if they wished their exchanges to be confidential and authentic.
The risk of a third party intercepting, interpreting, and interjecting messages over an open channel is typically addressed by encryption and authentication performed with a secret key shared only between the two legitimate parties. Such a secret key in turn is often established based on public key cryptography methods. These methods allow two parties to exchange a public piece of information and use their counterparty's public information, along with a piece of their own private information, to derive the shared secret key that no one with knowledge only of the parties' public keys could trivially determine.
These exchanges of public information to generate secrets shared only between the two communicating parties, called Diffie-Hellman key exchanges, are now used widely for pairing or associating two communicating parties with each other over an open channel. Two popular algorithms to use to this end are exponential discrete logarithm cryptography and elliptic curve cryptography.
Diffie-Hellman key exchanges, however, do not solve the problem of impersonation, where a third party is pretending to be one of the two legitimate parties in order to obtain, modify, or/and inject information. This sort of attack is particularly effective when the same party impersonates each of the two parties to a communication to the other party, gaining access to the information exchanged between them. These so-called “man in the middle” (MITM) attacks present an ongoing problem of authentication in which a party communicating over an open channel must authenticate the identity of the counterparty.
One popular solution to this problem uses a password or other predetermined shibboleth. The two parties authenticate each other by each confirming that the other party has knowledge of the same password. This poses its own issues because each party risks exposing the password to a third party, often due to intended or unintended human behavior. In particular, the central controller of a network could be compromised, exposing its list file containing the passwords for the nodes it controls to wrong hands. Once an adversary obtains a password intended to be shared only between two legitimate parties, the adversary can impersonate one of these parties to communicate with the other party breaking the security check.
Two parties that have never known each other before may use the Diffie-Hellman key exchange protocol to establish a secret (a master key) shared only between them in the presence of eavesdroppers. However, they are vulnerable to the man-in-the-middle attack by which a third party (an adversary) intercepts the messages exchanged between the two legitimate parties and injects its own by impersonating each of the two parties while exchanging with the other, respectively. As a result, the two parties end up with communicating through the third party while believing they are talking to each other directly.
It is often inconvenient or impossible to manually install or reinstall a pre-shared password, a shared session key or master key of sufficient length into the parties' desired communication. The Diffie-Hellman key exchange protocol, which is based on public key cryptography, allows two parties not previously known to each other to establish a shared secret by openly exchanging their public keys. The shared secret can be used to derive a shared master key and/or session key. The shared secret remains a secret between the two communication parties even in presence of third-party eavesdroppers, provided the protocol parameters are chosen appropriately.
In particular, after the exchange of their public keys but not private keys, both parties create a shared secret (SS) based on their respective private keys (a, b) and received public keys (B, A). The shared secret can then be used to create a master key and/or session key for securing future communications between the two parties. A third party, such as an eavesdropper, with access to the public keys of the two parties cannot recreate the shared secret (SS) because the third party does not have the other parties' private keys (a, b). The private and public keys may be pre-installed into the device or they may be selected by the device.
The Diffie-Hellman key exchange, nevertheless, is susceptible to impersonation and man-in-the middle attacks. A third-party imposter can impersonate one of the two legitimate parties, exchanging public keys and hence establishing a shared secret with the other, without the latter knowing the truth. While the two legitimate parties start exchanging their public keys, a third party can also intercept their messages and inject its own messages to impersonate both of the sending parties separately. Thus, the two legitimate parties unknowingly communicate with the malicious third party instead of each other as they believe.
To thwart such attacks, entity authentication is introduced into the key exchange between two communicating parties, to ensure that each is communicating with the expected or claimed other party but not an imposter. Using a shared password for entity authentication has been widely used. It is much more convenient to share a relatively short password than a long secret key between two parties. However, many password-based authentication protocols are vulnerable to offline dictionary attacks. For example, when a claimant attempts to corroborate its identity to a verifier by sending a message showing knowledge of the password, a third party impersonating the verifier can record the message and thereafter do a password search in the short password space against that message.
The term “party” as used herein will be understood to include devices, such as nodes and hubs communicating in a network, as well as individual users. The following terms are also meant to be synonymous: key exchange, key agreement, key establishment, and security association. Also interchangeable are method, protocol, procedure, and process.